The One Sentence Definition

Password entropy is a measure of how unpredictable a password is, expressed in bits. Each additional bit doubles the number of guesses an attacker needs. It's the closest thing to an objective "strength score", and it explains why the passwords people think are strong often aren't.

How Entropy Is Calculated

Entropy depends on two things: the size of the character set and the length of the password. The formula is bits = length × log2(character set size). In plain terms:

  • Bigger character set = more bits per character. Lowercase only (26 options) gives about 4.7 bits per character; adding uppercase, digits, and symbols (94 options) gives about 6.6 bits each.
  • More length = proportionally more bits. This is the lever that matters most.

Rough benchmarks for truly random passwords:

PasswordApprox entropyVerdict
8 chars, all types~52 bitsCrackable
12 chars, all types~79 bitsStrong
16 chars, all types~105 bitsVery strong
4 random words~51 bitsGood and memorable
6 random words~77 bitsStrong and memorable

The Catch: "Random" Is Doing All the Work

Entropy math assumes the password is genuinely random. Human-created passwords are not. "Summer2024!" has maybe 70 bits by the naive formula, but its real entropy is far lower because attackers know the patterns: capital first letter, word, year, symbol at the end. Cracking tools try these patterns first, so the effective entropy collapses. This is the single most important thing to understand: predictability destroys entropy, no matter how the formula scores it. (The cracking reality is in our brute force guide.)

Entropy is only real if the randomness is real. A "12 character complex password" you invented yourself may have a fraction of its theoretical bits. A 12 character string from a random generator has all of them.

Why This Favours Passphrases

Here's entropy's practical lesson: adding length via random words is cheaper and more memorable than adding complexity via symbols. Four random words from a large list carry real, computable entropy because the selection is random, and each added word multiplies the guessing space enormously, while staying memorable. This is why "correct horse battery staple" beats "Tr0ub4dor&3" (our passphrase guide works the numbers). Length is the highest-leverage source of entropy.

How Much Is Enough?

  • Online accounts (rate-limited, with 2FA): ~70 bits is plenty, since attackers can't guess fast against a live login.
  • Encryption keys and master passwords (offline attack possible): aim for 80 to 100+ bits, because attackers can guess billions per second against stolen data.
  • The honest shortcut: use a generator for random passwords, or 5+ random words for memorable ones, and let a manager store the rest. Then add 2FA so entropy isn't your only defence.

Our password strength checker estimates entropy and cracking time for any password, running entirely in your browser, and our generator produces high-entropy passwords using cryptographic randomness.

Frequently Asked Questions

Is more entropy always better?

Up to a point of practicality. Beyond about 100 bits, you're protecting against attacks no computer on Earth can perform, so more entropy is wasted effort. The goal is enough entropy for the threat, plus 2FA, not maximum entropy for its own sake.

Why does my strong-looking password score low on entropy checkers?

Because good checkers detect patterns (dictionary words, keyboard walks, common substitutions, appended years) and discount them. A password that looks complex but follows predictable human habits has low real entropy, which the checker correctly reflects.

Does adding a symbol really add much entropy?

One symbol adds only a few bits, and if it's in a predictable place (a "!" at the end), attackers expect it, so it adds almost nothing in practice. Adding a whole random word adds far more (about 13 bits) and is easier to remember. Length beats sprinkled symbols.

How is entropy related to the 2FA codes I use?

A TOTP secret has around 160 bits of entropy: astronomically beyond any brute force. That's why the six digit codes derived from it are safe despite being short: the underlying secret is enormous. Entropy underpins both password and 2FA security (our OTP explainer).

Can I just make my password longer instead of learning this?

Essentially, yes: that's the practical takeaway. Longer + random = higher entropy, and random words make length painless. Understanding entropy just tells you why the "long and random" advice works, so you trust it.

Shoyeb Akter

Written by

Security Tools Developer and creator of 2FA Fast — a privacy-first browser-based authenticator and security tools platform.